IEEE 802.11u

IEEE 802.11u-2011 is an amendment to the IEEE 802.11-2007 standard to add features that improve interworking with external networks.

802.11 is a family of IEEEtechnical standards for mobile communication devices such as laptop computers or multi-mode phones to join a wireless local area network (WLAN) widely used in the home, public hotspots and commercial establishments.

Provides for the discovery of suitable networks (preassociation) through the advertisement of access network type {private network, free public network, for-fee public network}, roaming consortium, and venue information.

Generic Advertisement Service (GAS), which provides for Layer 2 transport of an advertisement protocol’s frames between a mobile device and a server in the network prior to authentication. The access point is responsible for the relay of a mobile device’s query to a server in the carrier’s network and for delivering the server’s response back to the mobile.

Provides Access Network Query Protocol (ANQP), which is a query and response protocol used by a mobile device to discover a range of information, including the hotspot operator’s domain name (a globally unique, machine searchable data element); roaming partners accessible via the hotspot along with their credential type and EAP method supported for authentication; IP address type availability (for example, IPv4, IPv6); and other metadata useful in a mobile device’s network selection process.

IEEE 802.11 currently makes an assumption that a user's device is pre-authorized to use the network. IEEE 802.11u covers the cases where that device is not pre-authorized. A network will be able to allow access based on the user's relationship with an external network (e.g. hotspot roaming agreements), or indicate that online enrollment is possible, or allow access to a strictly limited set of services such as emergency services (client to authority and authority to client.)

From a user perspective, the aim is to improve the experience of a traveling user who turns on a laptop in a hotel many miles from home, or uses a mobile device to place a phone call. Instead of being presented with a long list of largely meaningless SSIDs the user could be presented with a list of networks, the services they provide, and the conditions under which the user could access them. 802.11u is central to the adoption of UMA and other approaches to network mobile devices.

Because a relatively sophisticated set of conditions can be presented, arbitrary contracts could be presented to the user, and might include providing information on motive, demographics or geographic origin of the user. As such data is valuable to tourism promotion and other public functions, 802.11u is thought to motivate more extensive deployment of IEEE 802.11s mesh networks.[citation needed]

Mobile users, whose devices can move between 3G and Wi-Fi networks at a low level using 802.21 handoff, also need a unified and reliable way to authorize their access to all of those networks. 802.11u provides a common abstraction that all networks regardless of protocol can use to provide a common authentication experience.

There have been proposals to use IEEE 802.11u for access points to signal that they allow EAP-TLS using only server-side authentication.[4] Unlike most TLS implementations of HTTPS, such as major web browsers, the majority of implementations of EAP-TLS require client-side X.509 certificates without giving the option to disable the requirement, even though the standard does not mandate their use, which some have identified as having the potential to dramatically reduce adoption of EAP-TLS and prevent "open" but encrypted access points.[5][6]

^RFC 5216: The EAP-TLS Authentication Protocol, Internet Engineering Task Force, March 2008, The certificate_request message is included when the server desires the peer to authenticate itself via public key. While the EAP server SHOULD require peer authentication, this is not mandatory, since there are circumstances in which peer authentication will not be needed (e.g., emergency services, as described in [UNAUTH]), or where the peer will authenticate via some other means.